ZoneAlarm not blocking AVG auto update

The ZoneAlarm people have always given assurances that even though
the icon for ZoneAlarm take a while to show up on the monitor, the
firewall itself is running and working immediately to block any
Internet traffic to or from your computer.

Advertisements

on 8/9/2006 2:03 PM Al Smith said the following:
> The ZoneAlarm people have always given assurances that even though the
> icon for ZoneAlarm take a while to show up on the monitor, the firewall
> itself is running and working immediately to block any Internet traffic
> to or from your computer.
>
> Well, bullshit. I recently installed AVG. I'm running ZoneAlarm Free
> 6.1.737. AVG can phone home from my computer at boot-up, and download
> its anti-virus update *before* ZoneAlarm starts.
>
> There's no doubt about this. I do not have any permissions in ZoneAlarm
> to allow AVG access, and no warning popped up in ZoneAlarm telling me
> that AVG wanted to access the Internet.
>
> I disabled the AVG update service, so AVG won't be automatically
> connecting anymore, but if AVG can do it, so can any other program.
> Which makes ZoneAlarm more or less worthless.

Which raises the question, can't you control this by changing the load
order? Personally, I think I'd rather have my AV software load first so
it can take a look at anything else that loads. I use Kaspersky, i can
imagine a malware that loads B4 KAV, and hides itself from KAV. But KAV
can handle it if you can reverse the order.

Advertisements

>> The ZoneAlarm people have always given assurances that even though the icon for ZoneAlarm take a while to show up on the monitor, the firewall itself is running and working immediately to block any Internet traffic to or from your computer.
>>
>> Well, bullshit. I recently installed AVG. I'm running ZoneAlarm Free 6.1.737. AVG can phone home from my computer at boot-up, and download its anti-virus update *before* ZoneAlarm starts.
>>
>> There's no doubt about this. I do not have any permissions in ZoneAlarm to allow AVG access, and no warning popped up in ZoneAlarm telling me that AVG wanted to access the Internet.
>>
>> I disabled the AVG update service, so AVG won't be automatically connecting anymore, but if AVG can do it, so can any other program. Which makes ZoneAlarm more or less worthless.
>
>
> Which raises the question, can't you control this by changing the load order? Personally, I think I'd rather have my AV software load first so it can take a look at anything else that loads. I use Kaspersky, i can imagine a malware that loads B4 KAV, and hides itself from KAV. But KAV can handle it if you can reverse the order.
>
> Anyone know how to do this and if it is desirable?

Seems to me that the firewall should load first when you have an
always-on Internet connection. It's worrying, only because if AVG
can load before ZA, probably anything else can also. Major point I
wanted to make is that when ZoneAlarm tells you that the firewall
loads first, even though the icon may not be up on the screen,
they are lying through their teeth.

on 8/9/2006 4:04 PM Al Smith said the following:
>>> The ZoneAlarm people have always given assurances that even though
>>> the icon for ZoneAlarm take a while to show up on the monitor, the
>>> firewall itself is running and working immediately to block any
>>> Internet traffic to or from your computer.
>>>
>>> Well, bullshit. I recently installed AVG. I'm running ZoneAlarm Free
>>> 6.1.737. AVG can phone home from my computer at boot-up, and download
>>> its anti-virus update *before* ZoneAlarm starts.
>>>
>>> There's no doubt about this. I do not have any permissions in
>>> ZoneAlarm to allow AVG access, and no warning popped up in ZoneAlarm
>>> telling me that AVG wanted to access the Internet.
>>>
>>> I disabled the AVG update service, so AVG won't be automatically
>>> connecting anymore, but if AVG can do it, so can any other program.
>>> Which makes ZoneAlarm more or less worthless.
>>
>>
>> Which raises the question, can't you control this by changing the load
>> order? Personally, I think I'd rather have my AV software load first
>> so it can take a look at anything else that loads. I use Kaspersky, i
>> can imagine a malware that loads B4 KAV, and hides itself from KAV.
>> But KAV can handle it if you can reverse the order.
>>
>> Anyone know how to do this and if it is desirable?
>
>
> Seems to me that the firewall should load first when you have an
> always-on Internet connection. It's worrying, only because if AVG can
> load before ZA, probably anything else can also. Major point I wanted to
> make is that when ZoneAlarm tells you that the firewall loads first,
> even though the icon may not be up on the screen, they are lying through
> their teeth.

Oh, I got that. And I see your point about the FW first. Basically I
see both AV and FW as basic level services and IMHO the only things that
should load before either are the services that are essential to getting
the FW and AV to function.

In the specific case of ZA, maybe they aren't "lying" per se, just
wrong. Suppose their installer is designed to have the FW load first,
and as far as they know, it works. But AVG is designed to do the same
thing (since the AVG coders think the order should be AV then FW) and
their software "won" the load first battle.

Shouldn't the user be able to control this behavior? Gee, I'm back to
my original question. Buhler? . . . Buhler? . . . Anyone? . . . Anyone?

On Wed, 09 Aug 2006 23:04:14 GMT, Al Smith <>
wrote:
>>> The ZoneAlarm people have always given assurances that even though the icon for ZoneAlarm take a while to show up on the monitor, the firewall itself is running and working immediately to block any Internet traffic to or from your computer.
>>>
>>> Well, bullshit. I recently installed AVG. I'm running ZoneAlarm Free 6.1.737. AVG can phone home from my computer at boot-up, and download its anti-virus update *before* ZoneAlarm starts.
>>>
>>> There's no doubt about this. I do not have any permissions in ZoneAlarm to allow AVG access, and no warning popped up in ZoneAlarm telling me that AVG wanted to access the Internet.
>>>
>>> I disabled the AVG update service, so AVG won't be automatically connecting anymore, but if AVG can do it, so can any other program. Which makes ZoneAlarm more or less worthless.
>>
>>
>> Which raises the question, can't you control this by changing the load order? Personally, I think I'd rather have my AV software load first so it can take a look at anything else that loads. I use Kaspersky, i can imagine a malware that loads B4 KAV, and hides itself from KAV. But KAV can handle it if you can reverse the order.
>>
>> Anyone know how to do this and if it is desirable?
>
>
>Seems to me that the firewall should load first when you have an
>always-on Internet connection. It's worrying, only because if AVG
>can load before ZA, probably anything else can also.

AFAIK, the only firewall that does that truly reliably is the build-in
windows firewall (XXP SP2) since it is an integral part of the OS.
It has a special (non-configurable) boot-time filter allowing only
initial network traffic (DNS, DHCP etc.) until machine is running and
firewall is in place. That's when the "normal" filtering rules take
effect.
>Major point I wanted to make is that when ZoneAlarm tells you that
>the firewall loads first, even though the icon may not be up on the screen,
>they are lying through their teeth.

On Wed, 09 Aug 2006 21:03:10 GMT, Al Smith <>
wrote:
>The ZoneAlarm people have always given assurances that even though
>the icon for ZoneAlarm take a while to show up on the monitor, the
>firewall itself is running and working immediately to block any
>Internet traffic to or from your computer.
>
>Well, bullshit. I recently installed AVG. I'm running ZoneAlarm
>Free 6.1.737. AVG can phone home from my computer at boot-up, and
>download its anti-virus update *before* ZoneAlarm starts.

I don't see what you mean. I'm using ZA 6.1.744.001 and AVG doesn't
update without ZA asking for permission. I deleted the AVG Update
download entry from ZA's program list, and it ask for permission on
the next update. It seems to be working as I expect it to for me. :/
--
Zilbandy - Tucson, Arizona USA <>
Dead Suburban's Home Page: http://zilbandy.com/suburb/
PGP Public Key: http://zilbandy.com/pgpkey.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>>Seems to me that the firewall should load first when you have an
>>>always-on Internet connection. It's worrying, only because if AVG
>>>can load before ZA, probably anything else can also.
>
>
> AFAIK, the only firewall that does that truly reliably is the build-in
> windows firewall (XXP SP2) since it is an integral part of the OS.
> It has a special (non-configurable) boot-time filter allowing only
> initial network traffic (DNS, DHCP etc.) until machine is running and
> firewall is in place. That's when the "normal" filtering rules take
> effect.
>

I'd be tempted to run the Windows firewall in combination with
ZoneAlarm, except that ZoneAlarm wants to deactivate the Windows
firewall when it runs (probably for good reasons -- conflicts).
I'm not sure if I can turn the Windows firewall on in any case
with ZoneAlarm running, but I guess I can try.

>>Well, bullshit. I recently installed AVG. I'm running ZoneAlarm
>>>Free 6.1.737. AVG can phone home from my computer at boot-up, and
>>>download its anti-virus update *before* ZoneAlarm starts.
>
>
> I don't see what you mean. I'm using ZA 6.1.744.001 and AVG doesn't
> update without ZA asking for permission. I deleted the AVG Update
> download entry from ZA's program list, and it ask for permission on
> the next update. It seems to be working as I expect it to for me. :/

On Wed, 09 Aug 2006 14:42:00 -0700, John Hyde <>
wrote:
>on 8/9/2006 2:03 PM Al Smith said the following:
>> The ZoneAlarm people have always given assurances that even though the
>> icon for ZoneAlarm take a while to show up on the monitor, the firewall
>> itself is running and working immediately to block any Internet traffic
>> to or from your computer.
>>
>> Well, bullshit. I recently installed AVG. I'm running ZoneAlarm Free
>> 6.1.737. AVG can phone home from my computer at boot-up, and download
>> its anti-virus update *before* ZoneAlarm starts.
>>
>> There's no doubt about this. I do not have any permissions in ZoneAlarm
>> to allow AVG access, and no warning popped up in ZoneAlarm telling me
>> that AVG wanted to access the Internet.
>>
>> I disabled the AVG update service, so AVG won't be automatically
>> connecting anymore, but if AVG can do it, so can any other program.
>> Which makes ZoneAlarm more or less worthless.
>
>Which raises the question, can't you control this by changing the load
>order?

"In addition, security has been further hardened across the entire
ZoneAlarm product line with the addition of "boot-time protection,"
which begins protecting the PC before network drivers are loaded. This
extra layer protects the PC at the earliest possible opportunity, thus
providing no window of opportunity for malicious programs to
communicate." - pasted fromhttp://download.zonelabs.com/bin/free/pressReleases/2004/pr_zass50.html

So of course it should work, or otherwise we will just start to
believe they are lying.

On Thu, 10 Aug 2006 18:50:40 GMT, Al Smith <>
wrote:
>>>Seems to me that the firewall should load first when you have an
>>>>always-on Internet connection. It's worrying, only because if AVG
>>>>can load before ZA, probably anything else can also.
>>
>>
>> AFAIK, the only firewall that does that truly reliably is the build-in
>> windows firewall (XXP SP2) since it is an integral part of the OS.
>> It has a special (non-configurable) boot-time filter allowing only
>> initial network traffic (DNS, DHCP etc.) until machine is running and
>> firewall is in place. That's when the "normal" filtering rules take
>> effect.
>>
>
>I'd be tempted to run the Windows firewall in combination with
>ZoneAlarm, except that ZoneAlarm wants to deactivate the Windows
>firewall when it runs (probably for good reasons -- conflicts).
>I'm not sure if I can turn the Windows firewall on in any case
>with ZoneAlarm running, but I guess I can try.

In article <ifLCg.1585$395.1452@edtnps90>, says...
> >>Well, bullshit. I recently installed AVG. I'm running ZoneAlarm
> >>>Free 6.1.737. AVG can phone home from my computer at boot-up, and
> >>>download its anti-virus update *before* ZoneAlarm starts.
> >
> >
> > I don't see what you mean. I'm using ZA 6.1.744.001 and AVG doesn't
> > update without ZA asking for permission. I deleted the AVG Update
> > download entry from ZA's program list, and it ask for permission on
> > the next update. It seems to be working as I expect it to for me. :/
>
>
> Sure it asks for permission -- if ZoneAlarm is running. Maybe on
> your machine, ZoneAlarm starts before AVG. On my machine, AVG
> starts first.
>

They both run as a service and start up before other apps. It's highly
doubtful that AVG has time to do an entire update prior to the ZA
service loading, so I'd say there is something hosed somewhere in your
setup there. Perhaps the True Vector service isn't even loading at all?
Sounds very fishy...

> "In addition, security has been further hardened across the entire
> ZoneAlarm product line with the addition of "boot-time protection,"
> which begins protecting the PC before network drivers are loaded. This
> extra layer protects the PC at the earliest possible opportunity, thus
> providing no window of opportunity for malicious programs to
> communicate." - pasted from
> http://download.zonelabs.com/bin/free/pressReleases/2004/pr_zass50.html
>
> So of course it should work, or otherwise we will just start to
> believe they are lying.

They are lying, believe it. The update of AVG that occurred the
last time only took about two seconds, but it happened, and no
alert from ZoneAlarm. I got the AVG screen saying the update had
completed successfully.

>>>>Well, bullshit. I recently installed AVG. I'm running ZoneAlarm
>>>>
>>>>>> >>>Free 6.1.737. AVG can phone home from my computer at boot-up, and
>>>>>> >>>download its anti-virus update *before* ZoneAlarm starts.
>>>
>>>> >
>>>> >
>>>> > I don't see what you mean. I'm using ZA 6.1.744.001 and AVG doesn't
>>>> > update without ZA asking for permission. I deleted the AVG Update
>>>> > download entry from ZA's program list, and it ask for permission on
>>>> > the next update. It seems to be working as I expect it to for me. :/
>>
>>>
>>>
>>> Sure it asks for permission -- if ZoneAlarm is running. Maybe on
>>> your machine, ZoneAlarm starts before AVG. On my machine, AVG
>>> starts first.
>>>
>
>
> They both run as a service and start up before other apps. It's highly
> doubtful that AVG has time to do an entire update prior to the ZA
> service loading, so I'd say there is something hosed somewhere in your
> setup there. Perhaps the True Vector service isn't even loading at all?
> Sounds very fishy...
>
> --

I'm going to try updating to the latest version of ZoneAlarm.
Maybe the fresh install will reposition the firewall so that it
loads first, before AVG. Worth a try at least.

>>>>Seems to me that the firewall should load first when you have an
>>>>
>>>>>>>>>always-on Internet connection. It's worrying, only because if AVG
>>>>>>>>>can load before ZA, probably anything else can also.
>>>
>>>>>
>>>>>
>>>>> AFAIK, the only firewall that does that truly reliably is the build-in
>>>>> windows firewall (XXP SP2) since it is an integral part of the OS.
>>>>> It has a special (non-configurable) boot-time filter allowing only
>>>>> initial network traffic (DNS, DHCP etc.) until machine is running and
>>>>> firewall is in place. That's when the "normal" filtering rules take
>>>>> effect.
>>>>>
>>
>>>
>>>I'd be tempted to run the Windows firewall in combination with
>>>ZoneAlarm, except that ZoneAlarm wants to deactivate the Windows
>>>firewall when it runs (probably for good reasons -- conflicts).
>>>I'm not sure if I can turn the Windows firewall on in any case
>>>with ZoneAlarm running, but I guess I can try.
>
>
> Maybe you should just get rid of ZoneAlarm.
>
> What version of ZA? Free or Pro?
>
> What do you expect ZoneAlarm to do for you?

I'm presently using version 6.1.737 of ZA Free. I like the gui of
ZoneAlarm better than any other firewall I've tried, and I've
tried a few. I also like the animated ZA icon which shows incoming
and outgoing network traffic.

What I expect ZoneAlarm to do is was it says it will do -- prevent
any programs on my machine from phoning home without my permission.

<snip>
>I'm presently using version 6.1.737 of ZA Free. I like the gui of
>ZoneAlarm better than any other firewall I've tried, and I've
>tried a few.
>I also like the animated ZA icon which shows incoming
>and outgoing network traffic.

Please don't make that a justification for using ZoneAlarm
>What I expect ZoneAlarm to do is was it says it will do -- prevent
>any programs on my machine from phoning home without my permission.

Well, in that case I am sorry I will have to disappoint you. It
does'nt. To be very polite, the free version leaks like a sieve. My
own leaktests (and I did some of those, once again, on the latest
version of ZA free just a few days ago) confirm that. Andhttp://www.firewallleaktester.com/tests_overview.php (press the "view
results" button at the bottom) confirms it.

Even ZoneLabs themselves confirm that the free version cannot cope
with clever malware techniques. And they don't intend to fix it
either. Those methods are (funny enough) only beaten by a new
"groundbreaking" technique called "OSFirewall" in their pro version.
Well, that's yet another new word that does'nt even exist, though. It
seems like ZoneLabs made that up in order to add another smart-looking
buzzword to their web-site.

>>I'm presently using version 6.1.737 of ZA Free. I like the gui of
>>>ZoneAlarm better than any other firewall I've tried, and I've
>>>tried a few.
>
>
>>>I also like the animated ZA icon which shows incoming
>>>and outgoing network traffic.
>
>
> Please don't make that a justification for using ZoneAlarm
>

Hey, it's a nice animated icon.

>
>>>What I expect ZoneAlarm to do is was it says it will do -- prevent
>>>any programs on my machine from phoning home without my permission.
>
>
> Well, in that case I am sorry I will have to disappoint you. It
> does'nt. To be very polite, the free version leaks like a sieve. My
> own leaktests (and I did some of those, once again, on the latest
> version of ZA free just a few days ago) confirm that. And
> http://www.firewallleaktester.com/tests_overview.php (press the "view
> results" button at the bottom) confirms it.
>
> Even ZoneLabs themselves confirm that the free version cannot cope
> with clever malware techniques. And they don't intend to fix it
> either. Those methods are (funny enough) only beaten by a new
> "groundbreaking" technique called "OSFirewall" in their pro version.
> Well, that's yet another new word that does'nt even exist, though. It
> seems like ZoneLabs made that up in order to add another smart-looking
> buzzword to their web-site.

I just tried updating ZoneAlarm to the latest version. AVG still
updated itself at bootup as if ZoneAlarm wasn't even there --
because it wasn't, not having started yet. I stopped the antivirus
update in the middle myself, and the damn thing buggered up on me,
and later refused to finish the update, so I'm probably going to
go back to Avast, which I've generally found to be less trouble.

I'm looking for a simple free firewall to replace ZoneAlarm. I
don't want anything that's going to be so puzzling I won't know if
I'm wide open, but I want one that gives me full stealth (which
seems to me a minimum requirement in a firewall).

I tried Safety.Net 3.61, and it seemed to work fine, but gave a
puzzling result. Each time I'd boot, explorer.exe would install
itself in the list of approved programs, with checks beside both
local and internet. If I blocked it, the next boot would unblock
it again. I didn't know if this was a fault in the firewall, or
just something normal that I didn't understand. I did check on the
location of explorer.exe, and it was starting from the right
place, C:\Windows, so this suggests that it wasn't a trojan, but I
didn't understand the behavior. Maybe this wasn't showing up in
ZoneAlarm because ZoneAlarm wasn't even running that early in the
boot process?

I'm thinking I may try Sygate again. Any suggests for a free firewall?

on 8/10/2006 1:49 PM B. Nice said the following:
> On Wed, 09 Aug 2006 14:42:00 -0700, John Hyde <>
> wrote:
>
>> on 8/9/2006 2:03 PM Al Smith said the following:
>>> The ZoneAlarm people have always given assurances that even though the
>>> icon for ZoneAlarm take a while to show up on the monitor, the firewall
>>> itself is running and working immediately to block any Internet traffic
>>> to or from your computer.
>>>
>>> Well, bullshit. I recently installed AVG. I'm running ZoneAlarm Free
>>> 6.1.737. AVG can phone home from my computer at boot-up, and download
>>> its anti-virus update *before* ZoneAlarm starts.
>>>
>>> There's no doubt about this. I do not have any permissions in ZoneAlarm
>>> to allow AVG access, and no warning popped up in ZoneAlarm telling me
>>> that AVG wanted to access the Internet.
>>>
>>> I disabled the AVG update service, so AVG won't be automatically
>>> connecting anymore, but if AVG can do it, so can any other program.
>>> Which makes ZoneAlarm more or less worthless.
>> Which raises the question, can't you control this by changing the load
>> order?
>
> Why should he? - ZoneLabs claim all their products provide boot-time
> protection. I qoute:
>
<SNIP>
> So of course it should work, or otherwise we will just start to
> believe they are lying.

Ok, I agree. They say that their product loads first and it doesn't.

But suppose someone wants to keep zonealarm; perhaps they like the
animated icon ;-) Or perhaps their version of ZA loads first and they
want their AV to load first instead . . .

I still wonder if there is a way to manually control load order. Or are
you just stuck with whatever windows decides to do?

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!